def __init__(self,
fuzz_target,
cross_pollinate_fuzzers,
cross_pollination_method=Pollination.RANDOM,
tag=None):
self.fuzz_target = fuzz_target
self.cross_pollinate_fuzzers = cross_pollinate_fuzzers
self.cross_pollination_method = cross_pollination_method
self.tag = tag
self.merge_tmp_dir = None
self.engine = engine.get(self.fuzz_target.engine)
if not self.engine:
raise CorpusPruningException('Engine {} not found'.format(engine))
self._created_directories = []
# Set up temporary directories where corpora will be synced to.
# Initial synced corpus.
self.initial_corpus_path = self._create_temp_corpus_directory(
'%s_initial_corpus' % self.fuzz_target.project_qualified_name())
# Minimized corpus.
self.minimized_corpus_path = self._create_temp_corpus_directory(
'%s_minimized_corpus' % self.fuzz_target.project_qualified_name())
# Synced quarantine corpus.
self.quarantine_corpus_path = self._create_temp_corpus_directory(
'%s_quarantine' % self.fuzz_target.project_qualified_name())
# Synced shared corpus.
self.shared_corpus_path = self._create_temp_corpus_directory(
'%s_shared' % self.fuzz_target.project_qualified_name())
# Bad units.
self.bad_units_path = self._create_temp_corpus_directory(
'%s_bad_units' % self.fuzz_target.project_qualified_name())
self.merge_tmp_dir = self._create_temp_corpus_directory(
'merge_workdir')
self.corpus = corpus_manager.FuzzTargetCorpus(
self.fuzz_target.engine,
self.fuzz_target.project_qualified_name(),
include_regressions=True)
self.quarantine_corpus = corpus_manager.FuzzTargetCorpus(
self.fuzz_target.engine,
self.fuzz_target.project_qualified_name(),
quarantine=True)
shared_corpus_bucket = environment.get_value('SHARED_CORPUS_BUCKET')
self.shared_corpus = corpus_manager.GcsCorpus(shared_corpus_bucket)
def engine_reproduce(request, _):
"""Run engine reproduce."""
engine_impl = engine.get(request.engine)
result = testcase_manager.engine_reproduce(
engine_impl,
request.target_name,
request.testcase_path,
request.arguments,
request.timeout,
)
return untrusted_runner_pb2.EngineReproduceResult(
command=result.command,
return_code=result.return_code,
time_executed=result.time_executed,
output=result.output,
)
def engine_fuzz(request, _):
"""Run engine fuzzer."""
engine_impl = engine.get(request.engine)
result, fuzzer_metadata = fuzz_task.run_engine_fuzzer(
engine_impl,
request.target_name,
request.sync_corpus_directory,
request.testcase_directory,
)
crashes = [
untrusted_runner_pb2.EngineCrash(
input_path=crash.input_path,
stacktrace=protobuf_utils.encode_utf8_if_unicode(crash.stacktrace),
reproduce_args=crash.reproduce_args,
crash_time=crash.crash_time,
) for crash in result.crashes
]
packed_stats = {}
for key, value in six.iteritems(result.stats):
packed_value = Any()
if isinstance(value, float):
packed_value.Pack(wrappers_pb2.DoubleValue(value=value))
elif isinstance(value, int):
packed_value.Pack(wrappers_pb2.Int32Value(value=value))
elif isinstance(value, six.string_types):
packed_value.Pack(wrappers_pb2.StringValue(value=value))
else:
raise ValueError("Unknown stat type for " + key)
packed_stats[key] = packed_value
return untrusted_runner_pb2.EngineFuzzResponse(
logs=protobuf_utils.encode_utf8_if_unicode(result.logs),
command=result.command,
crashes=crashes,
stats=packed_stats,
time_executed=result.time_executed,
fuzzer_metadata=fuzzer_metadata,
)
def __init__(self, fuzz_target, cross_pollinate_fuzzers):
self.fuzz_target = fuzz_target
self.cross_pollinate_fuzzers = cross_pollinate_fuzzers
self.merge_tmp_dir = None
self.engine = engine.get(self.fuzz_target.engine)
if not self.engine:
raise CorpusPruningException("Engine {} not found".format(engine))
self._created_directories = []
# Set up temporary directories where corpora will be synced to.
# Initial synced corpus.
self.initial_corpus_path = self._create_temp_corpus_directory(
"%s_initial_corpus" % self.fuzz_target.project_qualified_name())
# Minimized corpus.
self.minimized_corpus_path = self._create_temp_corpus_directory(
"%s_minimized_corpus" % self.fuzz_target.project_qualified_name())
# Synced quarantine corpus.
self.quarantine_corpus_path = self._create_temp_corpus_directory(
"%s_quarantine" % self.fuzz_target.project_qualified_name())
# Synced shared corpus.
self.shared_corpus_path = self._create_temp_corpus_directory(
"%s_shared" % self.fuzz_target.project_qualified_name())
# Bad units.
self.bad_units_path = self._create_temp_corpus_directory(
"%s_bad_units" % self.fuzz_target.project_qualified_name())
self.merge_tmp_dir = self._create_temp_corpus_directory(
"merge_workdir")
self.corpus = corpus_manager.FuzzTargetCorpus(
self.fuzz_target.engine, self.fuzz_target.project_qualified_name())
self.quarantine_corpus = corpus_manager.FuzzTargetCorpus(
self.fuzz_target.engine,
self.fuzz_target.project_qualified_name(),
quarantine=True,
)
shared_corpus_bucket = environment.get_value("SHARED_CORPUS_BUCKET")
self.shared_corpus = corpus_manager.GcsCorpus(shared_corpus_bucket)
def __init__(
self,
fuzz_target,
testcase_path,
test_timeout,
gestures,
needs_http=False,
arguments=None,
):
self._testcase_path = testcase_path
self._test_timeout = test_timeout
self._gestures = gestures
self._needs_http = needs_http
if fuzz_target:
engine_impl = engine.get(fuzz_target.engine)
else:
engine_impl = None
# TODO(ochang): Make this hard fail once migration to new fuzzing pipeline
# is complete.
if fuzz_target and engine_impl:
self._is_black_box = False
self._engine_impl = engine_impl
# Read target_name + args.
if not arguments:
arguments = get_command_line_flags(testcase_path)
arguments = data_handler.filter_arguments(arguments,
fuzz_target.binary)
self._arguments = arguments.split()
self._fuzz_target = fuzz_target
else:
self._is_black_box = True
self._command = get_command_line_for_application(
testcase_path, needs_http=needs_http)
def test_for_crash_with_retries(
testcase,
testcase_path,
test_timeout,
http_flag=False,
use_gestures=True,
compare_crash=True,
crash_retries=None,
):
"""Test for a crash and return crash parameters like crash type, crash state,
crash stacktrace, etc."""
gestures = testcase.gestures if use_gestures else None
try:
fuzz_target = testcase.get_fuzz_target()
if engine.get(testcase.fuzzer_name) and not fuzz_target:
raise TargetNotFoundError
runner = TestcaseRunner(fuzz_target, testcase_path, test_timeout,
gestures, http_flag)
if crash_retries is None:
crash_retries = environment.get_value("CRASH_RETRIES")
if compare_crash:
expected_state = testcase.crash_state
expected_security_flag = testcase.security_flag
else:
expected_state = None
expected_security_flag = None
return runner.reproduce_with_retries(crash_retries, expected_state,
expected_security_flag,
testcase.flaky_stack)
except TargetNotFoundError:
# If a target isn't found, treat it as not crashing.
return CrashResult(return_code=0, crash_time=0, output="")
